General

  • Target

    94cf0811c042811a570505a14af536a5.exe

  • Size

    596KB

  • Sample

    210211-8wd7dd262x

  • MD5

    94cf0811c042811a570505a14af536a5

  • SHA1

    80373791f6df8e24d072308c3f56d11438741aaf

  • SHA256

    36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe

  • SHA512

    25912f1a83eb62acfd37f829244da464fbc3736383d1022a9fdcf7a61bfce8b11c93f2226f41e497425391a5d65f04691841cc5cd885189fa3c6abb3659f6fe6

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.199:443

172.93.201.39:443

104.168.156.222:443

Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      94cf0811c042811a570505a14af536a5.exe

    • Size

      596KB

    • MD5

      94cf0811c042811a570505a14af536a5

    • SHA1

      80373791f6df8e24d072308c3f56d11438741aaf

    • SHA256

      36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe

    • SHA512

      25912f1a83eb62acfd37f829244da464fbc3736383d1022a9fdcf7a61bfce8b11c93f2226f41e497425391a5d65f04691841cc5cd885189fa3c6abb3659f6fe6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

3
T1005

Tasks